A Russian company that acquires and sells zero-day exploits — flaws in software that are unknown to the affected developer — is now offering to pay researchers $20 million for hacking tools that would allow its customers to hack iPhones and Android devices.
Operation Zero, which launched in 2021, announced the new bounties on its Telegram and X (formerly Twitter) accounts on Wednesday. The company said that the increased payouts are intended to “encourage the developer teams to work with our platform.”
Due to high demand on the market, we're increasing payouts for top-tier mobile exploits. In the scope:
— iOS RCE/LPE/SBX/full chain — From $200,000 up to $20,000,000 (twenty millions).
— Android RCE/LPE/SBX/full chain — The same.
As always, the end user is a non-NATO country.
— Operation Zero (@opzero_en) September 26, 2023
Operation Zero also said that it only sells to non-NATO countries and that its clients are Russian private and government organizations only. CEO Sergey Zelenyuk declined to say why the company only sells to non-NATO countries but said that the bounties offered by Operation Zero may be temporary and a reflection of the difficulty of hacking iOS and Android.
“The price formation of specific items is heavily dependent on the availability of the product on the zero-day market,” Zelenyuk said in an email. “Full chain exploits for mobile phones are the most expensive products right now and they’re used mostly by government actors. When an actor needs a product, sometimes they’re ready to pay as much as possible to possess it before it gets into the hands of other parties.”
For at least a decade, various companies around the world have offered bounties to security researchers willing to sell the bugs and hacking techniques to exploit those flaws. Unlike traditional bug bounty platforms like HackerOne or Bugcrowd, companies like Operation Zero don’t alert the vendors whose products are vulnerable, but instead sell them to government customers.
This is inherently a gray market, where prices fluctuate and the identity of the customers is often secret. But there are and have been public price lists such as the ones published by Operation Zero.
Zerodium, a company that was launched in 2015, offers up to $2.5 million for a chain of bugs that allows customers to hack an Android device with no interaction from the target. For the same type of chain, Zerodium offers up to $2 million, according to its website.
Crowdfense, a competitor based in the United Arab Emirates, offers up to $3 million for the same kind of chain of bugs on Android and iOS.
Referring to the bounties offered by Zerodium and Crowdfense, Zelenyuk said that he doesn’t believe they will ever drop so low.
“The Zerodium price sheet is outdated, but it doesn’t mean the company still buys for such low prices. They just don’t need to update them, the zero-day business works fine regardless of that,” said Zelenyuk.
The market for zero-days is largely unregulated. However, in some countries, companies may have to obtain export licenses from the governments they operate from. This process essentially entails asking permission to sell to certain countries, which may be restricted. This has created a fractured market that is increasingly affected by politics.
For example, a recently passed law in China mandates that security researchers alert the Chinese government of bugs before they alert the software makers. This law, according to experts, effectively means China is cornering the market for zero-days in an attempt to use them for intelligence purposes.
Implications for Users
The fact that a company is willing to pay $20 million for a zero-day exploit for iPhones and Android devices is a sobering reminder of the ever-present threat of hacking. While Apple and Google are working constantly to improve the security of their operating systems, no system is perfect.
As a user, there are a few things you can do to protect yourself from zero-day exploits:
- Keep your software up to date. Software updates often include security patches that can fix known vulnerabilities.
- Be careful about what links you click on and what attachments you open. Phishing attacks are a common way for hackers to gain access to your devices.
- Use a strong password manager to create and manage unique passwords for all of your online accounts.
- Enable two-factor authentication (2FA) whenever possible. 2FA adds an extra layer of security to your accounts by requiring you to enter a code from your phone in addition to your password.
Source: TechCrunch